Missing timestamp warning for unparsed logs

ait-aecid / logdata-anomaly-miner

This tool parses log data and allows to define analysis pipelines for anomaly detection. It was designed to run the analysis with limited resources and lowest possible permissions to make it suitable for production server use.

GNU General Public License v3.0

70 stars 23 forks source link

Missing timestamp warning for unparsed logs #1324

Closed landauermax closed 3 months ago

landauermax commented 4 months ago

The warning "No timestamp was found for a log_atom" is generated when unparsed events occur. I dont think that a warning should occur in this case, because it can be confusing - users will start looking for reasons why the timestamp is not there even though the line itself is the problem. An unparsed event is an anomaly and cannot be treated like an normal line anyway.

ernstleierzopf commented 4 months ago

This message is printed in the ByteStreamLineAtomizer before the log atom is parsed. Therefore the message can not be filtered out if the atom can not be parsed. However, I extended the error message to include alternatives such as using the use_real_time or continuous_timestamp_missing_warning parameters to only show this message once.